[FALSE ALARM] Kaspersky Alarming Virus Warning
-
- Posts: 8
- Joined: Wed Nov 30, 2016 11:46 pm
[FALSE ALARM] Kaspersky Alarming Virus Warning
I installed 10.1 update with no problem yesterday afternoon but this morning woke up to these virus notices and a locked down computer which demanded disinfection from:
FCOutDrw.dll Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe/data0083 Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe UDS:DangerousObjectMulti.Generic
You can see how it's reported in VirusTotal here:
https://www.virustotal.com/en/file/f2b5 ... 480601892/
I hope and presume this is a false alarm, but obviously for Kaspersky users this is a problem.
FCOutDrw.dll Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe/data0083 Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe UDS:DangerousObjectMulti.Generic
You can see how it's reported in VirusTotal here:
https://www.virustotal.com/en/file/f2b5 ... 480601892/
I hope and presume this is a false alarm, but obviously for Kaspersky users this is a problem.
-
- Top Typographer
- Posts: 9878
- Joined: Tue Oct 29, 2002 5:28 am
- Location: Seven Kings, London UK
- Contact:
Re: Kaspersky Alarming Virus Warning
Yes, of course it's a false alarm. If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.
Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
-
- Posts: 25
- Joined: Sat Feb 06, 2016 2:36 pm
-
- Moderator
- Posts: 11160
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
Another customer just forwarded a report from Anti-Virus Lab, Kaspersky Lab HQ:
Thank you for sending a file for analysis to the Anti-Virus Lab.
Kaspersky Anti-Virus has scanned files.
No malware detected in files:
FontCreatorSetup.exe
We will thoroughly analyze files. If the result of the analysis is different from this scan result, you will be notified via email within 5 days.
This is an automatically generated message. Please, do not reply to it.
-
- Posts: 8
- Joined: Wed Nov 30, 2016 11:46 pm
Re: Kaspersky Alarming Virus Warning
FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn't as smooth in preview, but it actually looks right/better, it isn't screwing up when displaying overlapped curves.Bhikkhu Pesala wrote:If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.
Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
-
- Moderator
- Posts: 11160
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
FCOutDrw is a new dynamic linked library (DLL) which is used to draw smooth glyph outlines. If the file is removed, FontCreator will use the old drawing method.ben8238723 wrote:FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn't as smooth in preview, but it actually looks right/better, it isn't screwing up when displaying overlapped curves.Bhikkhu Pesala wrote:If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.
Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule
-
- Posts: 8
- Joined: Wed Nov 30, 2016 11:46 pm
Re: Kaspersky Alarming Virus Warning
Thanks for the detailed explanation. Just curious, why would the new method use the even-odd rule? Is it to try to highlight and discourage people leaving curve overlaps in a font or something? Ultimately the fonts seem to render okay either way when used as a font, but maybe it's bad form.Erwin Denissen wrote:The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule
-
- Moderator
- Posts: 11160
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
The new method uses the graphical device interface to draw outlines, which should be faster, and is smooth. The downside at the moment is the fact we can't change the fill mode.
The first line is drawn with the old method, the second line is the improved one.
The "F" consist of a single contour that is self-intersecting.
The first line is drawn with the old method, the second line is the improved one.
The "F" consist of a single contour that is self-intersecting.
-
- Posts: 6
- Joined: Sat Feb 15, 2014 8:29 pm
Re: Kaspersky Alarming Virus Warning
Bumping this to make a note that Windows Defender is now also flagging and removing it.
Windows 10 Pro
Definitions version: 1.233.1718.0
Windows 10 Pro
Definitions version: 1.233.1718.0
-
- Moderator
- Posts: 11160
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
I've just scanned all files with Windows Defender version 1.233.1724.0 and it didn't find any issues.
What file(s) are flagged on your system?
What file(s) are flagged on your system?
-
- Posts: 127
- Joined: Thu May 07, 2015 6:07 am
Re: Kaspersky Alarming Virus Warning
In Windows 10.1 Pro, Windows Defender just flagged FCOutDrw.dll as a Trojan on my machine ...
More precisely, it said:
"There is a problem [TrojanSpy:Win32/Banker] in [FCOutDrw.dll] You should run a full system scan to fix it." Even now after I removed the file from quarantine.
I am looking for ways to alert Microsoft.
More precisely, it said:
"There is a problem [TrojanSpy:Win32/Banker] in [FCOutDrw.dll] You should run a full system scan to fix it." Even now after I removed the file from quarantine.
I am looking for ways to alert Microsoft.
Re: Kaspersky Alarming Virus Warning
My PC gets scanned everyday by Win Defender. I just did a manual scan on the SysWOW64 folder and there was no issue even though the noted DLL is present. Also Win 10.1 Pro.
Weird.
Mike
Weird.
Mike
-
- Moderator
- Posts: 11160
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
Can you send that file to us, so we can compare it with ours?
Or upload it to https://www.virustotal.com/ and let us know the processed url.
We've just uploaded it at:
https://www.virustotal.com/en/file/1e16 ... 481236460/
SHA256: 1e1667da19564b097fc5497d53d40f230640956a452f4833c118d9bf5cbf21fd
File name: FCOutDrw.dll
Detection ratio: 0 / 54
Analysis date: 2016-12-08 22:34:20 UTC
Or upload it to https://www.virustotal.com/ and let us know the processed url.
We've just uploaded it at:
https://www.virustotal.com/en/file/1e16 ... 481236460/
SHA256: 1e1667da19564b097fc5497d53d40f230640956a452f4833c118d9bf5cbf21fd
File name: FCOutDrw.dll
Detection ratio: 0 / 54
Analysis date: 2016-12-08 22:34:20 UTC
-
- Posts: 127
- Joined: Thu May 07, 2015 6:07 am
Re: Kaspersky Alarming Virus Warning
I performed a complete scan with Windows Defender and it listed more items associated with this detected "Trojan":
containerfile:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe
containerfile:C:\Users\Nick\Downloads\FontCreatorSetup.exe
file:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe->(inno#000083)
file:C:\Users\Nick\Downloads\FontCreatorSetup.exe->(inno#000083)
Which I suppose are just the locations of where this dll came from although I do not understand why the setup.exe is in two different places..
containerfile:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe
containerfile:C:\Users\Nick\Downloads\FontCreatorSetup.exe
file:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe->(inno#000083)
file:C:\Users\Nick\Downloads\FontCreatorSetup.exe->(inno#000083)
Which I suppose are just the locations of where this dll came from although I do not understand why the setup.exe is in two different places..
-
- Moderator
- Posts: 11160
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
Can you upload them to virustotal, or send them to me?
We've just released another maintenance release, so I wonder what Defender has to say about it. On my system it all runs just fine
We've just released another maintenance release, so I wonder what Defender has to say about it. On my system it all runs just fine